The simplest way to make Caddy Microk8s work like it should

You’ve got a cluster spinning in Microk8s and need a clean, automated reverse proxy that just works. You install Caddy, expect HTTPS magic, and then run face-first into permissions, service routing, and those half-documented tunneling quirks. Let’s fix that.

Caddy and Microk8s pair beautifully once you stop treating them like strangers. Microk8s handles the Kubernetes side: container orchestration, networking, and local isolation. Caddy brings the TLS automation and dynamic reverse proxy routing. Together, they let you run production-grade web workloads without gluing together nginx configs at 2 a.m.

Here’s how they collaborate. Caddy sits at the network edge, serving as an identity-aware ingress controller. It receives HTTP traffic, requests certificates from Let’s Encrypt, and routes requests to your pods through Microk8s’s built-in endpoints. Microk8s, on its part, exposes services via ClusterIP or LoadBalancer. When Caddy reads those endpoints, it automatically updates upstream definitions—no restart needed. The result is a living proxy stack that updates whenever Kubernetes changes state.

To wire this correctly, map Caddy’s service account to Microk8s RBAC. Use a specific service token for read-only access to endpoint metadata. Skip wide-open API permissions. One wrong rule, and your proxy could dump cluster secrets into its access logs.

Rotate credentials quarterly, and if you manage identity through AWS IAM or Okta, set temporary credentials through OIDC so you can trace every connection. TLS renewal happens automatically, but make sure Microk8s mounts persistent storage for Caddy’s certificates. Otherwise every node update feels like a surprise party you didn’t want.

Five reasons this pairing wins:

• Gets automatic certificates for internal and external routes.
• Eliminates manual ingress YAML churn.
• Speeds deployments because Caddy reloads dynamically.
• Adds a natural audit trail when wired with proper RBAC.
• Feels human: fewer moving parts, faster feedback loops.

When developers use this setup, they spend less energy chasing cluster DNS quirks. New apps show up behind HTTPS immediately. Onboarding new services takes minutes, not tickets. That is real developer velocity: fewer decisions, faster visibility, no trust gaps.

Platforms like hoop.dev turn those access rules into guardrails that enforce policy automatically. Imagine your Caddy reverse proxy backed by an always-on identity proxy that never forgets who should have access. That’s how modern engineering teams keep things fast while staying compliant.

How do I connect Caddy with Microk8s easily?
Run Caddy as a sidecar or standalone deployment using Microk8s’s host networking mode. Point it to cluster endpoints with dynamic discovery. It will handle certificates and routing on its own, cutting setup time to minutes.

The trick is simple: give Caddy just enough visibility to react, not enough to wander. Do that, and your Microk8s edge works clean, secure, and automatic every day you log in.

See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.